We are using a workflow that generates certification campaigns on department changes. Previously we have been able to exclude all entitlements from the campaign by addign an “indices” node to the HTTP payload followed by “roles”, “accessprofiles”:
Until recently, I noticed that entitlements are not excluded anymore. Does anyone have a good idea on how to exclude all entitlements from a search campaign and only include accessprofiles + roles?
Hi Sebastian,
You can exclude the entitlements by creating a campaign filter and add the entitlement to be excluded, when you add this filter while creating a campaign it will exclude all the entitlements and create the campaign.
You can refer this document to create campaign filters:Using Campaign Filters - SailPoint Identity Services
After creating the campaign filter add the id into it
{
“autoRevokeAllowed”: true,
“description”: “123123.”,
“emailNotificationEnabled”: true,
“name”: “New Department”,
“recommendationsEnabled”: true,
“filter”: {
“type”: “CAMPAIGN_FILTER”,
“id”: “xxxxxxxxxxxxxxx”
},
“searchCampaignInfo”: {
“identityIds”: [
“123123”
],
“indices”: [
“accessprofiles”,“roles”
],
“query”: “NOT tags:BAS AND NOT source.name:"Google Cloud Identity"”,
“reviewer”: {
“id”: “123123”,
“type”: “IDENTITY”
},
“type”: “ACCESS”
},
“type”: “SEARCH”
}
Thanks!!
Campaign filters are not really viable for us as we can’t add 10,000 entitlements manually to the filter. Therefore if it’s possible to just exclude all entitlements by type it would be best.
Hello Sebastian,
You can use exclusion filter in this way,
Exclusion filter exclude the selected access items from the campaign.Lets say you have 10,000 entitlements ,Add this exclusion filter
EntitlementDoes Not EqualEntitlement1 This will exclude all the Entitlement except entitlement1 from campaign Add another exclusion filter Entitlement EqualEntitlement1
This will exclude entitlement 1 from campaign.
This method should be able to remove all the entitlement from the campaign
Thanks!!
Ideally you could search on the type or _type attributes that are set on all search objects, but that doesn’t seem to work.
Based on the searchable fields for entitlements, the value attribute should be set on all entitlements, but it does not exist on the data model for roles or access profiles. You can update your query to exclude all results that have a value for this attribute with AND NOT _exists_:value. The attribute and privileged attributes could also be used/combined in this manner since they are also specific to the entitlement data model at the moment.
Also, In the GUI search I tried to query with AND NOT @entitlements() which excludes the entitlements in the GUI, however, when using the same query in a HTTP request the generation is failing… Have you tried this query also @nsorlien ?
Hmm, I haven’t queried nested fields in that way before. That attribute exists on both roles and access profiles but not on entitlements, so it seems search is matching all objects that have that attribute regardless of the data within it. Not sure if that is intended behavior, which could explain why it works in the UI but not when used in the create campaign HTTP request.